Roundup snapshot — 2026-06-18

Lifted three sharpened principles from a review of the ponytail ruleset
into "When proposing changes".

AGENTS.md

@@ -17,7 +17,8 @@ The global layer lives here and is wired into `~/.claude` by **directory symlink
 file added under `adapters/` is live immediately — no per-file linking:
 
 - `~/.claude/commands` → `adapters/claude/commands/` — global slash commands (`/retrofit`,
-  `/handoff`, `/full-eval`, `/capture`, `/triage`, `/roundup`, `/new-project`, `/design`).
+  `/handoff`, `/full-eval`, `/capture`, `/triage`, `/roundup`, `/new-project`, `/design`,
+  `/adjudicate`).
 - `~/.claude/agents` → `adapters/claude/agents/` — global subagents (reviewer, evaluator,
   security-auditor, doc-auditor, exerciser, researcher, janitor, portability-checker,
   start9-spec-checker, design-checker, onboarding-tester).
@@ -88,21 +89,24 @@ should carry this so any vendor's agent surfaces pending items at session start:
 ## Current state
 
 - **Fleet built and live** — commands `/capture /triage /roundup /new-project /handoff /retrofit
-  /full-eval /design`; subagents incl. `design-checker` + `onboarding-tester` (substance in
+  /full-eval /design /adjudicate`; subagents incl. `design-checker` + `onboarding-tester`
-  `guides/`, thin wrappers in `adapters/claude/`, symlinked into `~/.claude`). Dogfoods its own
+  (substance in `guides/`, thin wrappers in `adapters/claude/`, symlinked into `~/.claude`).
-  standard. Latest `/roundup`: `STATUS.md` 2026-06-16.
+  Dogfoods its own standard. Latest `/roundup`: `STATUS.md` 2026-06-16.
-- **`onboarding-tester` built this session (ROADMAP item 9), live.** Docs-only adopter agent: walks
+- **`/adjudicate` shipped this session (ROADMAP item 10).** Debates parked P2/P3 backlog to
-  a product's published docs as a literal newcomer (never reading source), reports doc gaps, and on
+  DROP/DO/ESCALATE verdicts; recommend-only v1, autonomy gated by blast radius, ROADMAP-only.
-  a fully clean run emits a publishable "all it took was X, Y, Z" walkthrough. First target: keysat
+  **Untested on a real backlog** — the first run should eyeball the judge's drop-bias before
-  SDK integration, **staged** — Stage 1 (Path 1, manual issuance under keysat's new `merchant-onboard`
+  trusting it (tune the tie-break rule in `guides/adjudicate.md` if it over-drops). Best first
-  key, `d5885d1`) is **unblocked**, runs in a keysat session; Stage 2 (Path 2, buyer-pays on regtest)
+  targets: keysat, recap.
-  is **gated** on keysat's greenlit `payment_providers:write` scope + network gate + sandbox flag.
+- **`onboarding-tester` live; first harness still pending (item 9).** Stage 1 (Path 1, manual
-- **Design system (ROADMAP item 8) shipped** — `/design` → `design/DESIGN.md` + DTCG tokens;
+  issuance under keysat's `merchant-onboard` key) is **unblocked** — build the harness + first run
-  `design-checker`; `/new-project` scaffolds `design/`. Pilot: keysat import. **Open:** extract→reconcile
+  in a keysat session. Stage 2 (Path 2, buyer-pays on regtest) is **gated** on keysat's
-  path untested; a fresh Claude Design run still needed to confirm export internals + tune Phase-C.
+  `payment_providers:write` scope + network gate + sandbox flag.
-- **Next steps:** (1) run the Stage-1 `onboarding-tester` harness in a keysat session (item 9);
+- **Design system live (item 8).** recap Case B (Extract) backfill done (app 0.2.161). **Open
-  (2) backfill design into recaps.cc/recap — extract→reconcile Case B (item 8); (3) cross-repo
+  (decoupled):** a fresh Claude Design run to confirm export internals + tune Phase-C.
-  quality-gate standard + `/harden` (item 1); (4) non-git-folder sweep under `~/Projects` (~13).
+- **Next steps:** (1) first real `/adjudicate` run on keysat/recap to calibrate the drop-bias
+  (item 10); (2) Stage-1 `onboarding-tester` harness in a keysat session (item 9); (3) cross-repo
+  quality-gate standard + `/harden` (item 1); (4) non-git-folder sweep under `~/Projects` (item 6
+  residual).
 - Queued in `INBOX.md` for other repos' `/triage`: keysat design cleanup (P2) + onboarding Path-2
   (P3); `ten31-transcripts` mini-retrofit; `ten31-database` networking/icon/intake; (standards)
   operator-onboarding agent (P3).

INBOX.md

@@ -31,27 +31,21 @@ Example:
 ## Items
 
 <!-- /capture appends below this line -->
-- [ ] (ten31-transcripts) [chore][P1] Mini-retrofit — repo is an active Xcode/Swift app but has NO `.claude/` dir. Do, in order: (1) add the portable inbox-check line to `AGENTS.md`, tagged `(ten31-transcripts)`; (2) create `.claude/settings.json` (at minimum `{}`) so shared project config/hooks become committable; (3) bring `.gitignore` to the canonical block in `standards/portability.md` → "What git tracks" — the deny-by-default `.claude/*` + allow-list, **plus** `.env.*` and `!.env.example` (both currently missing); (4) judgment call — only if the flat `docs/NN_*.md` files are genuinely subsystem-scoped, reorganize them into `docs/guides/` + `.claude/rules/` relative symlinks with one index line each in AGENTS.md. The `CLAUDE.md → AGENTS.md` symlink is already correct; no secrets are currently tracked. Full context: `standards` ROADMAP item 6 residuals — from the cross-repo git-hygiene audit, 2026-06-14
 - [ ] (standards) [feature][P2] API automation for Gitea in /new-project — automate the currently-manual Gitea create/publish gate via the Gitea API, 2026-06-14
-- [ ] (ten31-transcripts) [feature][P2] Add Jitsi to ten31-transcripts, 2026-06-14
-- [ ] (recap) [feature][P2] Recaps (or a recaps relay) should send a daily digest via SMTP, 2026-06-14
 - [ ] (new:embedded-links-reader) [project][P2] Embedded-links reader & summarizer — give the app an article/blog URL; it scrapes the links the author embedded (the ones you don't want to visit in the moment), reads them, and summarizes them, 2026-06-14
 - [ ] (new:portfolio-scraper) [project][P2] Portfolio-company scraper — tracks portfolio companies for podcasts, social tweets, founder appearances, news, etc. and delivers a digest via email or another interface, 2026-06-14
-- [ ] (recap) [bug][P2] Mobile gets stuck and can't scroll back to top — recaps.cc transcript view. ATTEMPTED in app 0.2.157 (-webkit-overflow-scrolling:touch + overscroll-behavior:contain on .chunks-scroll); UNVERIFIED — needs on-iPad check, plus a screen recording if it persists, 2026-06-14
-- [ ] (ten31-database) [chore][P2] Reconcile AGENTS.md networking facts: the doc says the CRM is reached "on the LAN or over Tailscale," but it's actually served over ClearNet (StartTunnel) with app-level user auth, and Tailscale is NOT in use. Fix the access/networking wording — surfaced during standards placement-guide verification, 2026-06-15
 - [ ] (recap-relay) [chore][P3] AGENTS.md endpoint list mis-describes POST /relay/analyze as "{ transcript, … } → topic sections JSON". The actual route (server/routes/analyze.js) takes a free-form { prompt: string } and returns the standard envelope { result: { text } }; "topic sections JSON" is only what the recap-app caller asks for in its prompt. Fix the request-shape wording to { prompt } — surfaced resolving Recaps' Daily Digest synthesis contract (Q4), 2026-06-15
-- [ ] (ten31-database) [bug][P2] Service package icon on StartOS is oversized/zoomed in and needs a better rendering — research Start9 icon spec, source or provide base ten31 logo, and produce a correctly sized icon before the next s9pk upload, 2026-06-16
 - [ ] (keysat) [chore][P2] Design-contract cleanup from the 2026-06-16 design-checker audit — full detail in keysat ROADMAP "Design (contract conformance)" + design/DESIGN.md. (1) Fix 3 blockers (code violates the contract's named "never" rules on live CTAs): (a) gold-as-fill on admin `.featured-pill-toggle.on` (licensing-service-startos/licensing-service/web/index.html:418) → navy fill or gold border+text; (b) gold-as-fill on admin `#tier-banner-cta` upgrade button (web/index.html:537-542) → navy primary; (c) primary buy CTA pill radius 999px (keysat-xyz-landing/index.html:384-385) → r-md 8px. (2) Structural: consolidate the 4 surfaces' inlined CSS-variable copies onto canonical design/brand/palette.css (import it, drop private copies). (3) Token gaps (tokenize-vs-snap): 14px landing card radius; wordmark letter-spacing 0.30 vs 0.28em (add letterSpacing.wordmark token); semantic badge text one-offs (#205c47/#7a5814/#8a2828); hardcoded syntax-highlight hex → var(); admin #f6f1e7 off-token. Re-run design-checker after to confirm, 2026-06-16
-- [ ] (ten31-database) [feature][P2] Matrix-bridge intake for the fundraising grid — use the matrix-bridge repo's pattern to listen on a dedicated ten31-database Matrix room; send a message (with optional business card photo) and a local LLM via Spark Control parses it into the fundraising grid schema, auto-creates the investor entity + contact row; for existing investors, send a meeting note and it appends an interaction log entry; approval gate: the bot replies in Matrix with the proposed add/edit, user approves/rejects/edits in-thread before the write commits, 2026-06-16
-- [ ] (ten31-database) [idea][P2] have explorer agent reply with what web UI functionality is visible only to admin vs to all users — 2026-06-16
 - [ ] (ten31-signal-engine) [chore][P2] Run full-eval on the signal engine folder — the full evaluation suite (evaluator, security-auditor, exerciser, doc-auditor, spec-checker), 2026-06-16
-- [ ] (?) [idea][P2] run janitor agent on all projects — via matrix, 2026-06-16
+- [ ] (standards) [idea][P2] run janitor agent on all projects — via matrix, 2026-06-16
 - [ ] (keysat) [chore][P2] does the keysat registry need to save every iteration of new versions of keysat software as we upgrade it? research agent needs to investigate — via matrix, 2026-06-16- [ ] (keysat) [chore][P2] Adversarial review of keysat- what vulnerabilities, customer complaints, feature gaps, might a new user find. — via matrix, 2026-06-16
 - [ ] (keysat) [chore][P2] run spec-checker agent for listing to start9 community registry — via matrix, 2026-06-16
 - [ ] (keysat) [chore][P2] review website for any drift/inconsistencies (doc-auditor), review GitHub for any sensitive information in historical commits (revealed info), review website and consider adding specific example of how to add licensing to existing software (for example this is a good way to test the dry run of a new user just using documentation... we could give an agent the proof-of-work software and see if they can just add a license paywall in front of it before they can use it in one shot) — via matrix, 2026-06-16
 - [ ] (recap) [idea][P2] add gemini 3.5 to model selection, need to have research agent check which models are available (stable versions) and the correct model name — via matrix, 2026-06-16
 - [ ] (recap-relay) [idea][P2] add gemini 3.5 to model selection, need to have research agent check which models are available (stable versions) and the correct model name — via matrix, 2026-06-16
 - [ ] (new:personal-website) [project][P2] Develop personal website — host on Start9 Pages, served on clearnet via StartTunnel; build HTML site, use Claude Design for styling, gather design inspiration — 2026-06-16
-- [ ] (ten31-database) [bug][P2] error message in email capture tab on email sync status — via matrix, 2026-06-16
 - [ ] (keysat) [feature][P3] Onboarding-tester Path 2 — full buyer-pays walkthrough on regtest. GATED on keysat shipping `payment_providers:write` (opt-in scope, never bundled into merchant-onboard) + network gate (scoped connect = regtest/testnet/signet only, mainnet master-only, fail-closed) + daemon-level sandbox-mode flag (greenlit with the keysat dev 2026-06-16; see plans/agent-payment-connect-scope.md). Then: harness stands up a BTCPay regtest stack + a sandbox-flagged keysat instance, grants the agent merchant-onboard + payment_providers:write, and the agent connects BTCPay (regtest) AND drives a test buyer payment that activates a license — entire chain agent-done, zero master-key steps. Walkthrough must be labeled regtest; production mainnet-connect stays the operator's one reserved step BY DESIGN (frame as security feature). Build AFTER Path 1 (no-payments) ships, since the BTCPay-regtest stack is the bulk of the new infra, 2026-06-16
-- [ ] (standards) [agent][P3] Operator-onboarding agent — sibling to onboarding-tester for the *operator* journey (stand up + run keysat from docs alone: sideload/registry install on StartOS, configure, issue first license), vs. the developer SDK-integration journey onboarding-tester already covers. Needs its own clean room (a clean StartOS service-install, not a generic VPS, since the s9pk can't run on a vanilla Linux box), 2026-06-16
+- [ ] (standards) [agent][P3] Operator-onboarding agent — sibling to onboarding-tester for the *operator* journey (stand up + run keysat from docs alone: sideload/registry install on StartOS, configure, issue first license), vs. the developer SDK-integration journey onboarding-tester already covers. Needs its own clean room (a clean StartOS service-install, not a generic VPS, since the s9pk can't run on a vanilla Linux box), 2026-06-16- [ ] (ten31-database) [idea][P2] backup history in settings tab should be minimized and expandable with a chevron. default to minimized and shown at the bottom since it is rarely viewed — via matrix, 2026-06-18
+- [ ] (ten31-database) [idea][P2] screen refresh should preserve viewing the same tab you were already on, rather than default back to the top tab — via matrix, 2026-06-18
+- [ ] (keysat) [feature][P2] ability to reorder entitlements catalog on edit products view — via matrix, 2026-06-18
+- [ ] (spark-control) [idea][P2] we should redesign the software logo/icon (used for startos service).. it doesn't really relate to anything, though the color scheme seems to match — via matrix, 2026-06-18

ROADMAP.md

@@ -155,10 +155,17 @@ front-end, never a dependency.
 
 **Remaining options:** (a) `/retrofit` should backfill `design/` into existing user-facing
 repos (keysat, recap, recaps.cc, premier-gunner, ten31-database, ten31-transcripts) — run
-`/design` then `design-checker` per repo; (b) fold a `design-checker` pass into `/full-eval`
+`/design` then `design-checker` per repo. **Done (recap, 2026-06-17):** recap was the first
+**Case B (Extract)** backfill — document-as-is. It validated the extract→reconcile path
+(previously untested — keysat was Case A/Import); the contract was distilled and the
+conformance cleanup shipped in two phases (recap app 0.2.161). Extract-phase Phase-D learnings
+landed in `guides/design.md` (commit `9031281`); cleanup-execution learnings are now in
+`guides/design-checker.md`. **Remaining backfill repos:** recaps.cc, premier-gunner,
+ten31-database, ten31-transcripts. (b) fold a `design-checker` pass into `/full-eval`
 for repos that have a contract; (c) confirm against a real Claude Design run what the export
 bundle actually contains and tune the Phase C distillation (the export internals are only
-medium-confidence from research).
+medium-confidence from research) — kept **decoupled** from the recap run so one untested thing
+moves at a time.
 
 ## 9. `onboarding-tester` — docs-only fresh-adopter agent ✅ BUILT (agent); harness pending (staged Path 1 → Path 2)
 
@@ -207,3 +214,34 @@ Qdrant, and it hosts matrix-bridge); **don't hardcode a model — query the Spar
 gateway** for the live one (daily driver Qwen3.6, hot-swappable); networking reduced to LAN /
 WireGuard / StartTunnel (Proton VPN + Tor were legacy, dropped). UNVERIFIED banner replaced
 with a "verified 2026-06-15" note; decision steps 4 and 6 aligned. Commit `ee5c8bb`.
+
+## 10. `adjudicate` — debate low-priority backlog items to a verdict ✅ BUILT (2026-06-17)
+
+Built and live: `guides/adjudicate.md` + `adapters/claude/commands/adjudicate.md` (the
+`/adjudicate` command). Solves backlog clutter the owner can't easily judge: low-priority
+(P2/P3) technical/backend items that may be necessary or may be bells-and-whistles, and that
+he shouldn't spend expertise on *because* they're low priority. Run inside a repo, it
+adjudicates that repo's ROADMAP items via a grounded debate and routes each to a verdict the
+owner ratifies instead of researching.
+
+- **Pipeline (per item):** investigator (read-only — does the problem exist? already handled?
+  what would it touch? + blast-radius classification) → build-advocate ∥ drop-advocate (argue
+  from the investigator's findings, not speculation) → judge (rubric = `how-i-work.md` + repo
+  `AGENTS.md`; **biased to DROP on ties / low confidence**, since these are already low-priority).
+- **Three verdicts:** **DROP** (the only autonomously-applied call — ratified in one batch, owner
+  needn't understand the tech), **DO** (worth it + LOW blast radius → annotated with a ready plan,
+  recommend-only, not executed), **ESCALATE** (worth it but HIGH blast radius / low confidence /
+  an epic → balanced brief for the owner's call).
+- **Autonomy is gated by blast radius, not priority** — HIGH = touches data/auth/money/external
+  surface or changes observable behavior (unclear ⇒ HIGH). It may auto-recommend *dropping* a HIGH
+  item but never *doing* one.
+- **ROADMAP-only input.** Nudges the owner to `/triage` first if untriaged inbox items exist for
+  the repo, but never reads raw inbox items into the debate (that's `/triage`'s routing job —
+  duplicating it invites drift). Two gates: confirm the item set before fan-out (cost control),
+  then approve the batch of ROADMAP edits. The ROADMAP diff + commit message is the audit trail
+  (no separate report file).
+
+**Remaining options:** (a) **v2 — narrow auto-execution** of the safe "DO + LOW blast radius +
+reversible + test-covered" class, once the owner has watched it make calls and trusts the verdicts
+(deliberately deferred — recommend-only first to build trust); (b) a thin `/triage`-then-`/adjudicate`
+combo if the two-command chaining friction proves real (YAGNI for now).

STATUS.md

@@ -1,122 +1,139 @@
-# Roundup — 2026-06-16
+# Roundup — 2026-06-18
 
-Repos scanned: keysat, matrix-bridge, premier-gunner, proof-of-work, recap-relay, recap, spark-control, standards, ten31-database, ten31-signal-engine, ten31-transcripts (11 git repos under `~/Projects`).
+Repos scanned (11): keysat, matrix-bridge, premier-gunner, proof-of-work, recap-relay, recap, spark-control, standards (meta/tooling), ten31-database, ten31-signal-engine, ten31-transcripts.
-Skipped/failed: none. (Non-git folders under `~/Projects` not enumerated — a ~13-folder sweep is itself a standards ROADMAP item.)
 
-This is an inventory, not a ranking. Per-repo priority markers are quoted as found; projects are **not** ranked against each other.
+Skipped (non-git folders under `~/Projects`, noted not dropped): discount-watcher, expense-organizer, giga, Grand-Cayman-paddleboard, heart-rate, one-river, `satoshi-sleep (need to add code)`, `START9 PACKAGING`, ten31-command-center, timestamp-converter, timestamp-newspaper, website-landing, Workout-log. (Failed readers: none.)
+
+> Read-and-report only. Items are grouped by the priority signals found in each repo and the inbox; projects are **not** ranked against each other and no "what to work on" call is made — that's yours. The repo backlogs below already live durably in each repo's ROADMAP; the **inbox items are itemized in full** because they exist nowhere else yet.
 
 ---
 
 ## Per-project snapshot
 
-**keysat** — Bitcoin-native software-licensing service, StartOS 0.4.x package + 4 SDKs + public landing/docs site. Live at `0.2.0:56` on registry and `immense-voyage.local`; multi-profile write path shipped this session; tests green. In progress: 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref editor) + operator data action (grant `unlimited_merchant_profiles` to Pro/Patron). Next: those UIs, then split `audit:read` out of `:read`. Discovered P2 (unfixed): `set_product_entitlements_catalog` has no `rows_affected` guard.
+**keysat** — Bitcoin-native software-licensing service (StartOS 0.4.x s9pk + 4 SDKs + landing/docs). Live `0.2.0:60` on immense-voyage.local serving licensing.keysat.xyz; `:60` shipped the Zaprite auto-charge silent-lapse fix + docs reconciliation; `cargo check`/`tsc`/tests green. **Next:** multi-profile webhook routing test → split `audit:read` scope → operator-alerts-via-StartOS → registry `prepare.sh`.
 
-**matrix-bridge** — Single-user Matrix bot turning a room message into a live Claude Code session per repo, surfaced to phone. Phases 0–3 + ask mode all done; capture mode (D13) LIVE 2026-06-16 on 1 room, N=3 pending. Keyword-type parsing pushed (`0786286`) but running bot pending one Update — still logs every capture as `idea`. Next (triggered, not urgent): Docker HEALTHCHECK, ask-script trust flag, capture priority keyword.
+**matrix-bridge** — Single-user Matrix bot turning a room message into a live Claude Code session on the Mac, surfaced to phone. Phases 0–3 + ask mode all DONE and live (Docker on Spark); capture mode deployed. **In progress:** none; only optional optimizations (Docker HEALTHCHECK, trust-gate flag, priority keyword). **Watch:** Update button depends on modelo's Gitea ssh `IdentitiesOnly yes` pin.
 
-**premier-gunner** — Kid-friendly soccer-training tracker PWA, StartOS `.s9pk`. All requested features built and live at `v0.1.7:0`. No work in progress. Known issue: in-app password change reverts on restart (workaround: "Set Login Password" action). Next: confirm speed unit (mph vs km/h); optional eval backlog.
+**premier-gunner** — Kid-friendly soccer-training tracker PWA (one player), StartOS s9pk. Live `v0.1.7:0`; all requested features built/deployed. **In progress:** none. **Next:** confirm speed unit (mph vs km/h); work the eval backlog if desired. **Known issue:** in-app password change reverts on restart (use the StartOS action).
 
-**proof-of-work** — Self-hosted multi-user workout logger (Next.js), StartOS 0.4 s9pk. Latest `v1.2.0:5` (Gear replaces RPE for cardio); 231 tests pass, verified on-box. Known open bug: Mobile Safari first-login tap fails (gated on capturing error code). Pending: StartOS proxy real-client-IP forwarding check. Next: finish P3 hardening batch (CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, etc.), then tiered AI prompt formatting.
+**proof-of-work** — Self-hosted multi-user workout logger (Next.js 15) as StartOS s9pk. Live `1.2.0:5` (Gear replaces RPE for cardio); built + sideloaded, verified on-box (231 tests pass). **Known bug (P2):** Mobile-Safari first-login-tap fails once then works — gated on a Safari error code to pick client vs server fix. **Next:** P3 hardening batch → tiered AI prompt formatting → Next 15→16.
 
-**recap-relay** — Operator-side credit-metered transcription/analysis router (Gemini + Spark Control); ships to operator's box only, never public. Aligned at `v0.2.126`, 79 tests green. Recent: Users dashboard tab, persistent webhook dedup, CORS scoped to `/relay/*`. Next: split 2225-line `routes/internal-meetings.js` (deferred as likely overkill); P3+ deferred tail.
+**recap-relay** — Operator-side credit-metered service in front of Gemini + Spark Control, powering Recaps' transcription/analysis pipeline. Aligned at relay `0.2.126` (app `0.2.155`), 79 tests green; Users dashboard tab + persistent webhook-dedup shipped; BTCPay-only rail; CORS scoped. **In progress:** none open above P2. **Next:** P2/deferred tail (split 2225-line internal-meetings.js — likely overkill; security/doc P3s).
 
-**recap** — YouTube + podcast summarizer + library; StartOS self-host package **and** cloud SaaS (recaps.cc). Live: app `0.2.159` + relay `0.2.126`, 144 tests pass. Loose end: Daily Digest's relay-synthesis + SMTP path not yet smoke-tested off-box. 5 pending operator actions (incl. iPad scroll-fix verify, digest smoke-test). Next: persist provider preference server-side, Export menu on clip panel, CI lint+type-check.
+**recap** — YouTube/podcast summarizer + library SPA, StartOS s9pk + cloud at recaps.cc. Live app `0.2.161` + relay `0.2.126`, 144 tests pass; self-serve Pro/Max purchase + design system (Phases 1–2) complete. **Loose end:** Daily Digest relay-synthesis+SMTP installed but not smoke-tested on-box (operator action #5). **Next:** operator smoke-test #5; resolve P2 known-debt cluster.
 
-**spark-control** — Browser StartOS package controlling a dual NVIDIA DGX Spark cluster (vLLM swaps, STT/diarization/TTS, embeddings, redaction). Working at `v0.21.0:1`; matrix-bridge bot tile done; 70 offline tests pass. Signal Engine transient unresponsiveness diagnosed as GPU concurrency (client-side remedy forwarded). Next: audio concurrency sweep (only if Signal Engine dev wants it; needs owner OK), else pull from ROADMAP.
+**spark-control** — Browser StartOS package driving a dual NVIDIA DGX Spark cluster (vLLM swaps, health/proxy, STT/TTS/diarization, embeddings, redaction). Live `v0.26.0:0` (disk-driven model menu); OpenClaw/Johnny-5 coexistence epic fully shipped (v0.25.0); 137 tests pass. **In progress:** Gemma-4-26B-A4B vision eval (recipe in catalog, not yet downloaded/swap-tested). **Awaiting:** Signal-Engine client-side flakiness remedy forwarded to dev.
 
-**standards** *(meta/tooling layer)* — Global agent-operating standards + the live fleet (8 commands, subagents) symlinked into `~/.claude`. Fleet operational; design system shipped (ROADMAP item 8); keysat design pilot ran end-to-end (import path tested, extract path not). Next: backfill design into recaps.cc/recap (extract→reconcile Case B), build cross-repo quality-gate standard + `/harden` (ROADMAP item 1), non-git-folder sweep (~13).
+**standards** *(meta/tooling)* — Home of agent standards + the live global fleet (8 commands, 11 subagents, served via `~/.claude` symlinks). `/adjudicate` shipped (item 10), **untested on a real backlog** — first run should calibrate drop-bias. **Next:** first `/adjudicate` run on keysat/recap; Stage-1 onboarding-tester harness; cross-repo quality-gate standard + `/harden`; non-git-folder sweep.
 
-**ten31-database** — Self-hosted venture-fund CRM (Ten31, ~$200M AUM) with agentic fundraising/thesis/outreach layer; replaced Airtable. Box+repo at `v0.1.0:82` (2026-06-16), verified live; 22/22 backend tests green; vendored React+SRI+render-smoke gate added. Decision: fundraising grid + email capture is canonical, classic-CRM surfaces retiring. Next: auth regression test for 3 v79-gated endpoints, digest Phase B verify, reports soft-delete sweep, pipeline adoption, `?limit=abc` crash.
+**ten31-database** — Self-hosted venture-fund CRM (replacing Airtable) with an agentic AI layer for funnel-widening + outreach drafting. Phase 0/1 built; deployed & verified live `v0.1.0:91` (2026-06-18); grid is canonical SoR, Matrix email-proposal review + pipeline adoption + intake bot all live. **Unsmoked:** intake fuzzy-match numbered-pick grammar. **Debt (P2):** soft-delete sweep residue, `?limit=abc` crash, auth regression test, oversized icon, 5.4k-line monolith.
 
-**ten31-signal-engine** — Pipeline ingesting audio + text (SEC filings, calls, research) into structured propositions → falsifiable investment signals scored through Ten31's thesis. Strike adversarial test CONDITIONAL PASS (2026-06-16); pipeline complete end-to-end (56,008 claims in Qdrant); engine correctly refuses the false positive. Reflexivity demo unexercised (RHR/CD audio transcription deferred — no GPU spend). No automated test suite yet. Next: Frontier-fan-out test H6, complete Strike reflexivity demo when GPU budget allows, Job A discovery scorers.
+**ten31-signal-engine** — Recurring pipeline ingesting audio + text → structured "claims" → investment signals via Ten31's thesis lens, each logged as a falsifiable prediction. **Strike adversarial test: CONDITIONAL PASS (2026-06-16)** — 56,008 claims embedded, false positive correctly refused; reflexivity demo unexercised (RHR/CD/Bitcoin.Review audio deferred). No automated test suite yet. **Next:** Frontier-fan-out test H6 → complete Strike reflexivity demo → Job A discovery scorers.
 
-**ten31-transcripts** — Active Xcode/Swift app. Reader returned a macOS menu-bar call-recorder summary (dual-track audio capture → Spark Control backend for transcription/diarization/naming); main branch clean, 73 tests pass, backend connected end-to-end 2026-06-16. **Caveat:** the inbox describes ten31-transcripts as a Swift app with **no `.claude/` dir** and a queued P1 mini-retrofit — so either this repo *is* that recorder app (and the AGENTS.md was read despite no `.claude/`) or the reader picked up an adjacent app's docs. See Gaps; confirm the repo's own AGENTS.md before acting.
+**ten31-transcripts** — Native macOS menu-bar app: detects calls, records dual-track audio, sends to Spark Control for transcription/diarization. `main` clean + pushed; app rebuilt+installed, 91 tests pass; meeting-name prompt + folder rename shipped & reviewer-verified. **Pending verify:** naming prompt + rename on a live stop. **In progress/unverified:** Meet visual fix (reject solid camera-off tiles).
 
 ---
 
 ## Priority queue (all projects + untriaged inbox)
 
-Explicit-priority and concrete next-action items, each once. Sprawling P3 tech-debt tails are rolled to a single per-repo line pointing at that repo's ROADMAP rather than enumerated.
+No P0 or P1 items exist anywhere — nothing is flagged drop-everything or urgent. Repo "next steps" carry no Pn marker; they're the operator's chosen next moves, listed under **Next actions (no Pn)**. Repo ROADMAP backlogs live durably in each repo and are summarized per-line with a pointer; **inbox items are itemized in full** below and again under "Not yet pushed down."
 
-**P1**
+### P2
-- [P1] ten31-transcripts: mini-retrofit — add inbox-check line, create `.claude/settings.json`, canonical `.gitignore` block, optional docs reorg — source: inbox(untriaged) — INBOX.md L34
+- [P2] Design-contract cleanup (3 blockers + structural CSS consolidation + token gaps) — source: inbox(untriaged) → keysat — INBOX.md / keysat ROADMAP "Design (contract conformance)"
-- [P1] matrix-bridge: push the pending **Update** so the running bot picks up keyword-type capture parsing (commit `0786286`) — currently logs every capture as `idea` — source: matrix-bridge — AGENTS Current state
+- [P2] Research: does the keysat registry need to retain every prior software version? — source: inbox(untriaged) → keysat — INBOX.md (via matrix)
+- [P2] Adversarial review of keysat (vulns / customer complaints / feature gaps a new user would find) — source: inbox(untriaged) → keysat — INBOX.md (via matrix)
+- [P2] Run spec-checker agent for Start9 community-registry listing — source: inbox(untriaged) → keysat — INBOX.md (via matrix)
+- [P2] Website doc-auditor pass + scan GitHub history for leaked info + add "add licensing to existing software" example — source: inbox(untriaged) → keysat — INBOX.md (via matrix)
+- [P2] Ability to reorder entitlements catalog on edit-products view — source: inbox(untriaged) → keysat — INBOX.md (via matrix)
+- [P2] Add Gemini 3.5 to model selection (research available stable model name first) — source: inbox(untriaged) → recap — INBOX.md (via matrix)
+- [P2] Add Gemini 3.5 to model selection (research available stable model name first) — source: inbox(untriaged) → recap-relay — INBOX.md (via matrix)
+- [P2] Run full-eval suite on the signal-engine folder — source: inbox(untriaged) → ten31-signal-engine — INBOX.md (via matrix)
+- [P2] Backup-history settings tab: minimize + chevron-expand, default collapsed at bottom — source: inbox(untriaged) → ten31-database — INBOX.md (via matrix)
+- [P2] Screen refresh should preserve the current tab, not reset to top tab — source: inbox(untriaged) → ten31-database — INBOX.md (via matrix)
+- [P2] Redesign the software logo/icon (StartOS service icon) — source: inbox(untriaged) → spark-control — INBOX.md (via matrix)
+- [P2] Gitea API automation for /new-project (replace manual create/publish gate) — source: inbox(untriaged) → standards — INBOX.md
+- [P2] Run janitor agent across all projects — source: inbox(untriaged) → standards — INBOX.md (via matrix)
+- [P2] Mobile-Safari first-login-tap fails once then works — source: proof-of-work — repo ROADMAP "Known bugs" (gated on Safari error code)
+- [P2] CRM debt: dashboard comms-aggregate soft-delete sweep, `?limit=abc` crash, auth regression test, oversized StartOS icon, 5.4k-line monolith — source: ten31-database — repo Current state
+- [P2] recap known-debt cluster: SSE error-string scrub, credit TOCTOU, multi-tenant gemini-key bypass, `/api/history` perf, dep CVEs (nodemailer high), risky-file tests, doc drift — source: recap — repo ROADMAP "P2 known-debt"
+- [P2] premier-gunner eval backlog: `@fastify/static`→≥9.1.3 (path-traversal), input validation (unknown metric kind / bad dates / 400 not 500), automated record/streak/migration tests — source: premier-gunner — repo ROADMAP
+- [P2] spark-control tech debt: no tests beyond redaction suites, loose dep floors (python-multipart/starlette), opaque 500 on model POST/PUT, NGC key on process line, global mutable catalog, container root on 0.0.0.0:9999 — source: spark-control — EVALUATION.md
+- [P2] Cross-repo quality-gate standard (linters / pre-commit / CI) + `/harden` — source: standards — ROADMAP item 1
 
-**P2**
+### P3
-- [P2] keysat: ship 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref editor) — source: keysat — next steps
+- [P3] Onboarding-tester Path 2 (full buyer-pays walkthrough on regtest) — source: inbox(untriaged) → keysat — INBOX.md (gated on `payment_providers:write` + network gate + sandbox flag)
-- [P2] keysat: operator data action — grant `unlimited_merchant_profiles` to Pro/Patron on master — source: keysat — next steps
+- [P3] Fix AGENTS.md endpoint wording: `POST /relay/analyze` takes `{ prompt }`, not `{ transcript … }` — source: inbox(untriaged) → recap-relay — INBOX.md
-- [P2] keysat: add `rows_affected` guard to `set_product_entitlements_catalog` (silent 200 on bad product-id) — source: keysat — Discovered
+- [P3] Operator-onboarding agent (sibling to onboarding-tester for the operator journey) — source: inbox(untriaged) → standards — INBOX.md
-- [P2] keysat: design-contract cleanup from 2026-06-16 design-checker audit — 3 blockers (gold-as-fill ×2, buy-CTA pill radius), CSS-variable consolidation, token gaps; re-run design-checker after — source: inbox(untriaged) + keysat ROADMAP — INBOX.md L44
+- [P3] proof-of-work hardening: CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, shorter sessions, text max-length, unify 3rd JSON-parse — source: proof-of-work — repo ROADMAP
-- [P2] keysat: run spec-checker agent for Start9 community-registry listing — source: inbox(untriaged) — INBOX.md L52
+- [P3] premier-gunner P3: CSRF token, cross-category metric guard, logout-without-session, consistent 404s, validate category color — source: premier-gunner — repo ROADMAP
-- [P2] keysat: adversarial review — vulnerabilities, complaints, feature gaps a new user might find — source: inbox(untriaged) — INBOX.md L51
+- [P3] recap P3 deferred: request-size caps, invoice-ID hijack on `/api/credits/claim`, container root, in-memory auth rate-limit, repo hygiene, registry-submission blockers — source: recap — repo ROADMAP
-- [P2] keysat: doc-auditor website drift review + GitHub history sensitive-info review + add "license existing software" example — source: inbox(untriaged) — INBOX.md L53
+- [P3] recap-relay security/ops tail: no `/relay/*` rate limiting, container root, dashboard stored-XSS, `lan-fetch` TLS-verify off, stale `/relay/health` version, doc fixes — source: recap-relay — repo ROADMAP
-- [P2] keysat: research whether the registry must retain every prior keysat version on upgrade — source: inbox(untriaged) — INBOX.md L49
+- [P3] spark-control bulk-fix-when-touching: stale README, deprecated `@app.on_event`, `innerHTML` sink, no upload-size limits, `VLLM_PORT` crash, Makefile x86-only vs manifest aarch64 — source: spark-control — EVALUATION.md
-- [P2] recap: smoke-test Daily Digest relay-synthesis + SMTP path (operator action #5, can't run off-box) — source: recap — pending operator actions
-- [P2] recap: SMTP daily-digest delivery (feature) — source: inbox(untriaged) — INBOX.md L37
-- [P2] recap: mobile can't-scroll-to-top on recaps.cc transcript view — fix attempted in 0.2.157, UNVERIFIED, needs iPad check — source: inbox(untriaged) — INBOX.md L40
-- [P2] recap: add Gemini 3.5 to model selection (research agent to confirm available stable model names) — source: inbox(untriaged) — INBOX.md L54
-- [P2] recap: persist provider preference server-side; Export ▾ on clip panel; CI lint+type-check (near-term backlog) — source: recap — ROADMAP
-- [P2] recap-relay: add Gemini 3.5 to model selection (confirm stable model names) — source: inbox(untriaged) — INBOX.md L55
-- [P2] ten31-database: Matrix-bridge intake for fundraising grid (room listener → local-LLM parse → entity/contact creation, approval gate) — source: inbox(untriaged) — INBOX.md L45
-- [P2] ten31-database: oversized/zoomed StartOS package icon — research spec, source base logo, produce correctly sized icon before next s9pk — source: inbox(untriaged) — INBOX.md L43
-- [P2] ten31-database: explorer agent to report admin-only vs all-user web UI functionality — source: inbox(untriaged) — INBOX.md L46
-- [P2] ten31-database: auth regression test for 3 v79-gated endpoints; digest Phase B verify on box; reports soft-delete sweep; pipeline adoption; `?limit=abc` crash — source: ten31-database — next steps
-- [P2] ten31-signal-engine: run full-eval (evaluator, security-auditor, exerciser, doc-auditor, spec-checker) on the folder — source: inbox(untriaged) — INBOX.md L47
-- [P2] ten31-signal-engine: Frontier-fan-out test H6 (untested §1.1 half) — source: ten31-signal-engine — next steps
-- [P2] proof-of-work: finish P3 hardening batch + tiered AI prompt formatting; `@fastify/static` 8.3.0→≥9.1.3 (path-traversal CVEs); input-validation fixes — source: proof-of-work — ROADMAP/next steps
-- [P2] spark-control: audio concurrency sweep (only if Signal Engine dev wants the measured knee; needs owner OK) — source: spark-control — next steps
-- [P2] standards: backfill design into recaps.cc/recap (extract→reconcile Case B, on-ramp untested) — source: standards — next steps
-- [P2] standards: API automation for Gitea in `/new-project` (automate manual create/publish gate via Gitea API) — source: inbox(untriaged) — INBOX.md L35
-- [P2] standards: build keysat docs-reader subagent (can a fresh user install+run from docs alone) — source: inbox(untriaged) — INBOX.md L50
-- [P2] ten31-transcripts: add Jitsi support — source: inbox(untriaged) — INBOX.md L36
-- [P2] (target repo unclear) run janitor agent on all projects — source: inbox(untriaged) — INBOX.md L48
-- [P2] premier-gunner: confirm speed unit (mph vs km/h); optional security/test eval backlog — source: premier-gunner — next steps
 
-**P3**
+### Next actions (no Pn signal — operator's chosen next moves, not yet prioritized)
-- [P3] recap-relay: fix AGENTS.md endpoint doc — `POST /relay/analyze` takes `{ prompt }` and returns `{ result: { text } }`, not "{ transcript } → topic sections JSON" — source: inbox(untriaged) — INBOX.md L42
+- keysat: automated multi-profile webhook routing test (S) → split `audit:read` from blanket `:read` → operator-alerts-via-StartOS (verify start-sdk 1.3.2 first) → registry `prepare.sh` + on-box verification — source: keysat Current state
-- [P3] standards: build cross-repo quality-gate standard + `/harden` (linters / pre-commit / CI) — ROADMAP item 1 — source: standards — ROADMAP
+- recap: smoke-test Daily Digest end-to-end on-box (operator action #5) — source: recap Current state
-- [P3] standards: non-git-folder sweep under `~/Projects` (~13 folders) — source: standards — next steps
+- spark-control: Gemma-4-26B-A4B vision eval (download + swap-test; owner weighing vision vs text-only Qwen3.6) — source: spark-control Current state
-- [P3] Per-repo deferred P3 tech-debt tails (rolled up — full lists in each ROADMAP): recap (request-size caps, invoice-ID hijack, container-as-root, repo hygiene), recap-relay (no rate limiting, container-as-root, dashboard XSS, version-file prune), spark-control (Qdrant auth, observability, README staleness, packaging placeholders), proof-of-work (CSP, CSRF, registry blockers), premier-gunner (CSRF, delete 404s), ten31-database (TLS verify off, 5.4k-line monolith, stale ABOUT.md)
+- ten31-signal-engine: Frontier-fan-out test H6 → complete Strike reflexivity demo (un-defer RHR/CD audio) → Job A discovery scorers — source: signal-engine Current state
+- ten31-transcripts: verify naming-prompt + folder-rename on a live stop; re-process Meet session for visual fix; repoint `origin`→`gitea-home`; backend URL primary→fallback + `mmss()` NaN guard — source: ten31-transcripts Current state
+- ten31-database: in-room smoke of intake disambiguation numbered-pick grammar; spark-control intake dashboard card; NL→safe-query build; freeze v2.0 canonical thesis — source: ten31-database Current state
+- premier-gunner: confirm speed unit (mph vs km/h) — source: premier-gunner Current state
+- matrix-bridge: optional only — Docker HEALTHCHECK, trust-gate flag, priority keyword, delete vestigial `phase-0` branch — source: matrix-bridge Current state
+- standards: first real `/adjudicate` run on keysat/recap to calibrate drop-bias; Stage-1 onboarding-tester harness in a keysat session — source: standards Current state
 
-**Unprioritized — needs triage** (no explicit priority signal in source)
+### Unprioritized — needs triage (proposed new projects; routed by new-repo bootstrap, not /triage)
-- matrix-bridge ROADMAP (Phase 4+): intent-routing brain (D8, local model), thread-based session continuity, Nextcloud/CalDAV output, E2EE (D9)
+- Embedded-links reader & summarizer — source: inbox `(new:embedded-links-reader)` [P2]
-- spark-control ROADMAP: echo cancellation, LLM referee for label-merge, second audio worker, dashboard local-path/fine-tuned model support, per-model vLLM flags, Qdrant auth + snapshots
+- Portfolio-company scraper (podcasts/tweets/news digest) — source: inbox `(new:portfolio-scraper)` [P2]
-- ten31-signal-engine ROADMAP: Estimator rework H4, real resolver, claim-type weighting for §7.1, corpus expansion (BTC Sessions, River OCR), Start9 s9pk packaging
+- Personal website on Start9 Pages via StartTunnel — source: inbox `(new:personal-website)` [P2]
-- keysat ROADMAP: Zaprite dedup cache + declined-card hardening, registry-landing repurpose decision, Elastic License v2 vs `LicenseRef-Keysat-1.0`, KEYSAT_INTEGRATION re-test
-- recap ROADMAP larger plans: architecture-simplification, core-decoupling, per-tenant-subscriptions, self-serve-purchase (docs/ drafts)
-- standards ROADMAP: deterministic inbox surfacing via SessionStart hook (item 3, optional); thread inbox-check line into bootstrapping (item 4)
 
 ---
 
-## Not yet pushed down (inbox) — grouped by target
+## Not yet pushed down (inbox) — exists nowhere but INBOX.md, grouped by target
 
-These exist nowhere but the inbox; `/triage` inside each repo routes them.
+**→ keysat (7)**
+- [P2] Design-contract cleanup — 3 blockers (gold-as-fill on admin `.featured-pill-toggle.on` + `#tier-banner-cta`; buy-CTA pill radius 999px→8px), CSS-variable consolidation onto canonical palette.css, token gaps (14px card radius, wordmark letter-spacing, semantic badge hexes, syntax-highlight hex, admin `#f6f1e7`). Re-run design-checker after. (2026-06-16)
+- [P2] Research whether the registry must retain every prior keysat version on upgrade (2026-06-16)
+- [P2] Adversarial review — vulns / customer complaints / feature gaps a new user might find (2026-06-16)
+- [P2] Run spec-checker for Start9 community-registry listing (2026-06-16)
+- [P2] Website doc-auditor pass; scan GitHub history for leaked sensitive info; add a "add licensing to existing software" example (proof-of-work as a dry-run target) (2026-06-16)
+- [P2] Reorder entitlements catalog on edit-products view (2026-06-18)
+- [P3] Onboarding-tester Path 2 — buyer-pays regtest walkthrough, gated on `payment_providers:write` + network gate + sandbox-mode flag (2026-06-16)
 
-- **ten31-transcripts:** [P1] mini-retrofit (L34); [P2] add Jitsi (L36)
+**→ recap-relay (2)**
-- **keysat:** [P2] design-contract cleanup (L44); [P2] spec-checker for registry listing (L52); [P2] adversarial new-user review (L51); [P2] website drift + GitHub-history + licensing-example review (L53); [P2] research version-retention question (L49)
+- [P2] Add Gemini 3.5 to model selection (research stable model name first) (2026-06-16)
-- **ten31-database:** [P2] reconcile AGENTS networking facts — ClearNet/StartTunnel, not LAN/Tailscale (L41); [P2] oversized package icon (L43); [P2] matrix-bridge fundraising-grid intake (L45); [P2] explorer admin-vs-all UI report (L46)
+- [P3] AGENTS.md endpoint-shape doc fix: `POST /relay/analyze` is `{ prompt }`, not `{ transcript … }` (2026-06-15)
-- **recap:** [P2] SMTP daily digest (L37); [P2] mobile scroll-to-top bug (L40); [P2] Gemini 3.5 model selection (L54)
+
-- **recap-relay:** [P3] endpoint-doc wording fix (L42); [P2] Gemini 3.5 model selection (L55)
+**→ recap (1)**
-- **ten31-signal-engine:** [P2] run full-eval on the folder (L47)
+- [P2] Add Gemini 3.5 to model selection (research stable model name first) (2026-06-16)
-- **standards:** [P2] Gitea API automation in /new-project (L35); [P2] keysat docs-reader subagent (L50)
+
-- **unclear target (`?`):** [P2] run janitor agent on all projects (L48)
+**→ ten31-database (2)**
+- [P2] Backup-history tab: minimize + chevron-expand, default collapsed at bottom (2026-06-18)
+- [P2] Screen refresh should preserve current tab, not reset to top (2026-06-18)
+
+**→ ten31-signal-engine (1)**
+- [P2] Run full-eval suite on the signal-engine folder (2026-06-16)
+
+**→ spark-control (1)**
+- [P2] Redesign the software logo/icon used for the StartOS service (2026-06-18)
+
+**→ standards (3)**
+- [P2] Gitea API automation for /new-project (automate the manual create/publish gate) (2026-06-14)
+- [P2] Run janitor agent across all projects (2026-06-16)
+- [P3] Operator-onboarding agent — sibling to onboarding-tester for the operator journey (needs a clean StartOS service-install clean room) (2026-06-16)
 
 ---
 
-## Proposed new projects
+## Proposed new projects (inbox `(new:…)` — awaiting new-repo bootstrap)
 
-The `(new:…)` inbox items — ideas awaiting the new-repo bootstrap (`/new-project`), not tasks in an existing repo.
+- **embedded-links-reader** [P2] — give the app an article/blog URL; it scrapes the author-embedded links, reads them, and summarizes them (2026-06-14)
-
+- **portfolio-scraper** [P2] — tracks portfolio companies for podcasts, social tweets, founder appearances, news; delivers a digest via email or another interface (2026-06-14)
-- **new:embedded-links-reader** [P2] — give the app an article/blog URL; it scrapes the author's embedded links, reads them, and summarizes them (L38)
+- **personal-website** [P2] — host on Start9 Pages, clearnet via StartTunnel; build HTML, style with Claude Design, gather inspiration first (2026-06-16)
-- **new:portfolio-scraper** [P2] — tracks portfolio companies (podcasts, tweets, founder appearances, news) and delivers a digest via email/another interface (L39)
-- **new:personal-website** [P2] — personal website on Start9 Pages, served on clearnet via StartTunnel; HTML site, Claude Design for styling, gather inspiration (L56)
 
 ---
 
 ## Gaps
 
-- **ten31-transcripts reader ambiguity.** The Explore reader returned a macOS menu-bar call-recorder summary (dual-track capture → Spark Control). The inbox (L34) describes ten31-transcripts as a Swift app with **no `.claude/` dir** and a queued P1 mini-retrofit. These may be the same app, or the reader may have surfaced an adjacent app's docs. The repo's authoritative state isn't fully confirmed from this run — re-read its own AGENTS.md before acting, and treat the mini-retrofit as the known truth.
+- **No AGENTS.md/Current-state gaps among scanned repos** — all 11 returned a description, current state, next steps, and ROADMAP backlog. No reader failed.
-- **ten31-transcripts has no `.claude/` dir** (per inbox L34) — so it does not yet carry the portable inbox-check line; its items only surface via this roundup and the inbox, not at its own session start.
+- **Inbox formatting:** two INBOX.md lines have items mashed together without a newline (line 41: keysat registry-retention + keysat adversarial-review; line 48: standards operator-onboarding agent + ten31-database backup-history). Both items were preserved/counted above; the lines should be split when next triaged.
-- **No automated test suite:** ten31-signal-engine explicitly flags this; spark-control has tests but several subsystems remain untested.
+- **Untested / unverified, by the repos' own words (not gaps in this roundup, just open verification debt):** standards `/adjudicate` untested on a real backlog; recap Daily Digest not yet smoke-tested on-box; ten31-transcripts naming-prompt+rename and Meet visual fix unverified on a live run; ten31-database intake numbered-pick grammar unsmoked; ten31-signal-engine has no automated test suite and the Strike reflexivity demo is unexercised.
-- **Inbox item with `?` target** (run janitor on all projects, L48) has no owning repo — needs a triage decision on where it lives.
+- **Non-git folders under `~/Projects` not covered:** 13 folders (listed at top) are not git repos — out of scope for this roundup, but `satoshi-sleep (need to add code)` and the standards "non-git-folder sweep" (ROADMAP item 6 residual) both suggest a sweep is still owed.
-- **Non-git folders under `~/Projects`** were not enumerated (the ~13-folder sweep is itself a standards ROADMAP item, deliberately out of scope here).
-- **Stale-state / unverified risk:** several "live" states depend on pending operator on-device checks — recap Daily Digest path (off-box, not smoke-tested), recap mobile-scroll fix (UNVERIFIED), proof-of-work mobile-Safari first-login (gated on error code), premier-gunner in-app password change (reverts on restart).

adapters/claude/commands/adjudicate.md

@@ -0,0 +1,20 @@
+---
+description: Debate each low-priority (P2/P3) backlog item on this repo's ROADMAP to a DROP/DO/ESCALATE verdict — recommend-only, applied on your approval
+argument-hint: [optional scope, e.g. a ROADMAP item number or "P3"]
+---
+
+Adjudicate the low-priority technical backlog of the repository in the current working
+directory. Scope, if any: $ARGUMENTS
+
+Your complete orchestration guide — phases, the per-item investigate→debate→judge pipeline,
+the three verdicts (DROP / DO / ESCALATE), and the report + approval flow — is at:
+
+    ~/Projects/standards/guides/adjudicate.md
+
+Read it in full first, then follow it exactly. If you cannot read that file, stop and report
+precisely that — do not improvise the adjudication.
+
+Claude Code specifics for Phase 2: per item, launch the investigator first, then the build- and
+drop-advocates as a single parallel batch, then the judge; run items concurrently in batches to
+keep the fan-out manageable. These are read-only role agents — the only write is the ROADMAP
+edit in Phase 4, after the owner approves.

guides/adjudicate.md

@@ -0,0 +1,143 @@
+# Adjudicate — debate low-priority backlog items to a verdict
+
+*Substance file per the portability protocol. Vendor wrappers (e.g.
+`adapters/claude/commands/adjudicate.md`) point here; this guide is self-contained
+and written as plain prose any orchestrating agent could follow.*
+
+You are running inside one project repo. Low-priority technical/backend items pile up on its
+`ROADMAP.md` that the owner can't easily judge the necessity of — and shouldn't have to spend
+expertise on, precisely *because* they're low priority. Your job is to run a grounded debate
+over each eligible item and reach a verdict, so the owner ratifies decisions instead of
+researching them.
+
+**Recommend-only.** You never execute, build, or ship anything here. Your output is verdicts
+and a single batch of ROADMAP edits the owner approves. The most you change is the backlog
+itself.
+
+**Autonomy is gated by blast radius, not priority.** A low-priority item can still be
+dangerous (it touches data, auth, money, an external surface, or changes observable app
+behavior). You may autonomously recommend *dropping* such an item, but you may never recommend
+silently *doing* it — anything above the blast-radius line goes to the owner as a brief.
+
+**Decide on the facts; present in plain terms.** The investigation and the judge's reasoning
+are rigorous and technical — grounded in what the code actually does, so the recommendation
+rests on real facts. But everything *shown to the owner* — both sides of each debate and the
+verdict's rationale — must be in plain language a non-specialist can act on: what the item
+really is, what doing it gets you, what skipping it costs. Don't assume jargon; when a
+technical fact is load-bearing, explain it in a phrase. The owner is judging trade-offs, not
+reading a tech spec. (The technical detail stays in the agents' analysis and can be surfaced on
+request — it's just not the default presentation.)
+
+## Phase 1 — Orient & select (no fan-out yet)
+
+1. Read this repo's `ROADMAP.md` and `AGENTS.md` (especially `## Current state`) for context.
+2. **Inbox nudge (don't triage).** Do the session-start inbox-check: if
+   `~/Projects/standards/INBOX.md` has unchecked items tagged for this repo, tell the owner
+   *"N untriaged inbox items for this repo — run `/triage` first to land them on the ROADMAP,
+   or proceed with just what's there."* You operate on ROADMAP only; never read raw inbox items
+   into the debate — that is `/triage`'s routing job, and duplicating its rules invites drift.
+3. **Select candidates.** Eligible = parked, low-priority backlog items: P2/P3 where items
+   carry an explicit priority; otherwise items that read as nice-to-have / deferred.
+   **Exclude:** P0/P1 or clearly-active items, anything already marked done/built, and
+   `(new:…)`-style new-repo seeds. If `$ARGUMENTS` names specific items (e.g. a ROADMAP number
+   or `P3`), scope to those.
+4. **Confirm the set before spending agents.** Show the owner the list you intend to adjudicate
+   (one line each) and let them trim or confirm. A full run is ~4 subagents per item — this gate
+   controls cost and catches any item that's more important than its placement suggests.
+
+## Phase 2 — Per item: investigate → debate → judge
+
+For each confirmed item, run this pipeline (items may run in parallel where your tooling
+allows; within an item the stages are sequential):
+
+1. **Investigator** (read-only). Grounds the debate in reality so it isn't two models
+   speculating. Reads the actual code and reports: does the problem this item describes actually
+   exist, or is it already handled? What would the change touch (files, surfaces)? **Classify
+   blast radius:** LOW (reversible, internal, test-covered, no observable behavior change) or
+   HIGH (touches data/auth/money/an external surface, or changes observable app behavior). When
+   unsure, classify HIGH.
+2. **Build-advocate** and **Drop-advocate** (in parallel). Each receives the item text and the
+   investigator's findings and argues one side honestly, citing the findings — not speculation.
+   Reason from the technical facts, but **write the case for a non-specialist**: lead with the
+   practical stakes and translate any jargon the argument depends on.
+   - *Build-advocate*: the concrete benefit, the cost or risk of leaving it undone, who or what
+     it helps.
+   - *Drop-advocate*: YAGNI, added complexity and maintenance, opportunity cost, whether it's
+     bells-and-whistles for its own sake.
+3. **Judge.** Receives the item, the investigator's findings (incl. blast radius), and both
+   briefs. Decides against the rubric = `how-i-work.md` + this repo's `AGENTS.md`. **Bias to
+   DROP on a tie or low confidence** — these items are already low-priority, so death is the
+   default unless a clear case is made. Decide on the technical merits, but **write the
+   rationale it emits in plain terms** (per the principle above). Emits a structured verdict
+   (next section).
+
+## The three verdicts
+
+- **DROP** — not worth doing. The only autonomously-applied call. (Still ratified in one batch
+  by the owner per Phase 4 — "autonomous" means the owner needn't understand the tech, not that
+  files change unseen.)
+- **DO** — worth doing **and** blast radius LOW. Annotate the ROADMAP item with the decision and
+  a short ready-to-act plan; surface it for the owner's go-ahead to schedule. You do **not**
+  execute it (recommend-only).
+- **ESCALATE** — worth doing **but** blast radius HIGH, **or** the judge's confidence is low,
+  **or** the item is really an epic that should be split first. Produce a balanced brief: the
+  build case, the drop case, the judge's lean, and why it's above the line. This is the owner's
+  real judgment call — made cheap because they're ratifying reasoning, not generating it.
+
+## Phase 3 — Report (inline, no file written)
+
+Show the owner one report. **Write every line in plain terms** (per the principle above) — no
+unexplained jargon, and never let a raw file path or code symbol stand in for the explanation;
+say what it means in practice. No new tracked artifact — the ROADMAP diff and the commit message
+are the durable record (same convention as `/triage`).
+
+```
+# Adjudication — <repo> — <date>
+Adjudicated N of M eligible items.
+
+## DROP — not worth doing (remove on your OK)
+- <item, in plain words> — why it's not worth it, in one plain sentence (judge confidence)
+
+## DO — worth doing and low-risk (your go-ahead to schedule)
+- <item, in plain words> — what you'd gain, in one plain sentence + the ready plan
+
+## ESCALATE — your call (touches something that matters)
+- <item, in plain words>
+    For it:      <the strongest plain-language case to do it>
+    Against it:  <the strongest plain-language case to skip it>
+    Judge's lean: <which way, and why, in plain terms>
+    Why it's yours: <what makes it consequential — e.g. changes app behavior, touches data/money>
+```
+
+The plain-language "For it / Against it" pair is the heart of an ESCALATE — it's the easy-to-read
+two sides the owner weighs. Keep each to a few plain sentences.
+
+## Phase 4 — Approve, apply, commit
+
+1. **One approval gate.** Wait for the owner to confirm the batch. Never edit `ROADMAP.md`
+   before they approve — it's a durable file (same rule as `/triage`).
+2. **Apply** the approved changes to `ROADMAP.md`: delete DROP items outright (git history is
+   the record — don't leave tombstones); annotate DO items with the decision + plan; annotate
+   ESCALATE items with the judge's lean so the brief isn't lost.
+3. **Commit.** Present the proposed message and wait for confirmation (one approval covers
+   commit + push, per `how-i-work.md`). The message records the verdicts and the why for each
+   drop — that *is* the audit trail. No AI-attribution trailer.
+4. **Report** what was dropped, what's queued as DO, and what's waiting on the owner as
+   ESCALATE.
+
+## Rules
+
+- Recommend-only. Never execute, build, or ship — your single write is the ROADMAP edit, after
+  approval.
+- Never auto-recommend *doing* a HIGH-blast-radius item; route it to ESCALATE. When blast radius
+  is unclear, treat it as HIGH.
+- Ground every argument in the investigator's findings. If the investigator can't read the code
+  or the item is too vague to investigate, say so and ESCALATE it rather than debating in a
+  vacuum.
+- Present in plain terms. The report and both sides of every debate must read for a
+  non-specialist; the technical rigor lives in the decision, not the prose shown to the owner.
+- Don't read raw inbox items into the debate — nudge the owner to `/triage` first. ROADMAP is
+  the only input.
+- Preserve the owner's judgment as the gate: propose verdicts, apply only on approval, and
+  surface anything consequential rather than deciding it.
+- If blocked at any point, report exactly what blocked you — never fabricate a verdict.

guides/design-checker.md

@@ -40,7 +40,10 @@ A path to the repo to audit (default: the current working directory).
 
 - **Color** — UI colors trace to a token in `tokens.tokens.json` (directly or via a CSS
   custom property generated from it). Hardcoded hex/rgb values that don't match any token are
-  violations; off-palette colors are violations.
+  violations; off-palette colors are violations. **Exception — standalone generated documents**
+  (a share/print/email export that ships its own `<style>` with no `:root`): they legitimately use
+  literal hex because `var()` can't resolve without the token block, so audit them against the token
+  *values* and don't flag the literal hex itself as a violation.
 - **Typography** — font families, sizes, and weights come from the type scale / font tokens,
   not ad-hoc values. Headings and body follow the `DESIGN.md` typography rules.
 - **Spacing & layout** — margins, padding, and gaps use the spacing scale; layout density and

guides/design.md

@@ -113,7 +113,11 @@ canvas. Work it out *with* the user, inspiration-first:
    component treatments, depth/elevation — **including the inconsistencies** (the three
    almost-the-same blues, the four heading sizes). A read-only `design-checker` cannot do this
    (it needs a contract to check against), so inventory here in the main thread, optionally
-   delegating a read-only reader to gather the raw values.
+   delegating a read-only reader to gather the raw values. First **enumerate every styling
+   surface** — there is often more than one (a second stylesheet, a separate auth/landing
+   page, *CSS embedded in a string literal* that ships a self-contained export); a grep over
+   one `<style>` block silently misses the others. And **read the brand mark / icon before the
+   CSS** — it frequently encodes the intended color story the code only partly realized.
 2. **Reconcile with the user.** Surface the conflicts and let them make the **canonical calls**
    — which blue is *the* blue, which scale is *the* scale. Organically-arrived-at does not mean
    correct; their taste decides. This is the high-value human step; don't auto-resolve it.
@@ -276,6 +280,45 @@ us things. Brand facts never go here; only generalizable process/distillation kn
   drift risk — name a canonical `brand/palette.css`, point `DESIGN.md` §Agent-guide at it, and log
   the consolidation as backlog. Before relocating an existing design dir into `_imports/`, grep
   that **nothing imports it** (in keysat, nothing did — safe to move).
+- *(first Case-B extract run, 2026-06-16, recap)* **Harvest the inventory with grep frequency
+  tables in the main thread, not a delegated reader.** For a ~13k-line single file with ~450
+  inline styles, `grep -oE '<pattern>' | sort | uniq -c | sort -rn` per dimension (hex, rgba,
+  font-size, weight, radius, shadow, breakpoint) produced a complete *ranked* census that stayed
+  in context for the reconcile conversation — a sub-agent would have returned excerpts. The
+  **use-counts themselves are the reconcile evidence**: "which dark is THE background" is answered
+  by "132 uses + it's the PWA `manifest.json theme_color`," turning a taste call into a confirmation.
+- *(first Case-B extract run, 2026-06-16)* **Disambiguate near-duplicates with frequency + an
+  external anchor**, not the eye. Ranking each value by use-count and cross-referencing a fixed
+  reference (the PWA `theme_color`, the icon's gradient endpoints) reliably separated "one
+  canonical + N strays" from "N intentional values," which is exactly the call to hand the user.
+- *(first Case-B extract run, 2026-06-16)* **Present the reconcile conflicts as A/B/C forks,
+  recommended-option-first, with the candidate values in each option's preview.** Surfacing four
+  conflicts (the background, the accent, the surface ladder, the type scale) as one batch of
+  multiple-choice questions — each preview a monospace block showing the rival hexes in context —
+  let the owner make every canonical call in a single turn instead of a long volley. This is the
+  high-value human step; make it cheap to answer.
+- *(first Case-B extract run, 2026-06-16)* **For a document-as-is extract, the "inspiration" is the
+  code itself.** There is no external reference set and no export bundle, so `BRIEF.md` and
+  `_imports/` are correctly skipped; instead write `inspiration/README.md` pointing at the
+  harvested source files + the brand icon as the de-facto reference, and copy the icon into
+  `brand/`. That preserves the *why/where* record the folder convention exists for.
+- *(Case-B cleanup-execution run, 2026-06-17, recap)* **Scope an inline-hex→`var()` sweep to
+  CSS-value position, not to `style=` attributes.** Convert a hex only where the character before
+  `#` is not a quote/backslash (i.e. it's preceded by `:`/space/`,`). That one rule auto-dodges the
+  spots that must stay literal — hex held in JS *logic* (`const c = …`, quoted ternary branches like
+  `${on ? "#1e293b" : …}`), SVG `fill=`/`stroke=` attributes, and `<meta theme-color>` — without a
+  hand-kept exclusion list, and it beats `style="…"` boundary-matching (which breaks on inner quotes
+  inside `${…}`). Verify after: every introduced `var()` resolves against `:root`, and 0 mapped hexes
+  remain in CSS-value position (proves no silent misses).
+- *(Case-B cleanup-execution run, 2026-06-17, recap)* **Exclude standalone generated documents from
+  var-ification.** A self-contained export (share page, print/PDF view, email body) ships its own
+  `<style>` with no `:root`, so `var(--token)` won't resolve there — its literal hex is correct, not
+  drift. Identify those regions (by line range or by the builder fn) and skip them. Snapping off-scale
+  *values* inside them is still fine, since that's a literal change.
+- *(Case-B cleanup-execution run, 2026-06-17, recap)* **`border-radius` clamps to half the shorter
+  side — use it to snap capsules for free.** A pill-shaped control (e.g. an 18px-tall count badge at
+  radius 9) renders identically at any radius ≥ half its height, so snapping *up* to the next scale
+  step (9→10) is on-scale **and** pixel-identical. Snap capsules up, not down, to avoid a visible change.
 
 ## Final report
 

guides/handoff.md

@@ -46,5 +46,12 @@ and why. The user may provide optional focus notes; weave them in where relevant
 
 Reply with a short summary: what got committed or pushed, what went into durable knowledge
 versus Current state, and anything still unresolved. If everything is clean, say it's safe
-to exit. Then, in case the user decides to keep the session alive instead, give them a
+to exit. Then give the user two ways to carry the thread forward, labelled:
-one-line `/compact Focus on ...` command tailored to what matters most from this session.
+
+- **Keep this session:** a one-line `/compact Focus on ...` command tailored to what matters
+  most from this session.
+- **Start fresh:** a paste-able opener for the next session's first message — a *pointer, not
+  a payload*. Name the one thing to pick up and where it stands (e.g. "Resume the Case B
+  design backfill, pick up at Phase D reconcile"), and trust AGENTS.md Current state — which a
+  fresh session already loads — for the rest. It must be safe to lose: never carry state in the
+  opener that isn't already on disk.

how-i-work.md

@@ -17,9 +17,10 @@ Universal preferences for any coding agent working with me, on any project. Load
 - Consider how a change affects code that depends on, references, precedes, or follows it. No change is local until you've checked its neighbors.
 - Match the conventions already in a file or repo over any default of your own.
 - Prefer small, reviewable diffs over sweeping rewrites.
-- Comments explain *why*, not *what* — don't narrate self-evident code.
+- Build only what the task needs. Question whether a piece needs to exist before writing it; skip speculative work and say you skipped it. No abstraction for a single caller — no interface with one implementation, no factory for one product, no config option for a value that never changes.
+- Comments explain *why*, not *what* — don't narrate self-evident code. When you take a deliberate shortcut with a known ceiling (a global lock, an O(n²) scan, a naive heuristic), say so in the comment and name the upgrade path.
 - Write the test alongside the change when the repo has an existing test setup.
-- Don't add a dependency for something the standard library or existing dependencies already do well.
+- Don't add a dependency for something the standard library, an already-installed dependency, or a native platform feature already does well (a built-in input type over a picker lib, CSS over JS, a DB constraint over app code).
 - Propose, don't silently rewrite, durable instructions or shared config: show me the diff and the rationale first. Exception: trivial fixes (typos, dead links).
 
 ## Git and commits